add u2f group for SSH's FIDO/U2F key support
ClosedPublic
Actions

Authored by emaste on Feb 22 2022, 4:52 PM.

Details

Reviewers

imp
bdrewery
val_packett.cool

Commits

rGdf5bb849a6e8: Reserve u2f group for FIDO/U2F key support (SSH, etc.)
rGd0f1f38202c4: Reserve u2f group for FIDO/U2F key support (SSH, etc.)

Test Plan

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

emaste requested review of this revision.Feb 22 2022, 4:52 PM

emaste created this revision.

Patch open for discussion -- we have FIDO/U2F support in base system ssh now, but the client requires some additional configuration. Installing the security/u2f-devd package takes care of this but it seems like this ought to be provided by the base system. We could take the u2f.conf from the port into the base system, but the port is better suited to updates (new devices). Perhaps it's reasonable to take a snapshot u2f.conf but also keep the port for updates?

Snippet from u2f.conf:

# Allow members of group u2f to access U2F authentication tokens.
# 'notify' rules work on /dev/usb/* (used by libu2f-host),
# 'attach' rules work on /dev/uhid* (used by web browsers)

# Yubico Yubikey
notify 100 {
        match "system"          "USB";
        match "subsystem"       "DEVICE";
        match "type"            "ATTACH";
        match "vendor"          "0x1050";
        match "product"         "(0x0113|0x0114|0x0115|0x0116|0x0120|0x0200|0x0402|0x0403|0x0404|0x0406|0x0407|0x0410)";
        action  "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev";
};